3. UAC User Interface
Windows Vista uses a shield icon to indicate
which features of an application require elevated rights. For example,
standard users can run Task Manager (as shown in Figure 3),
but they will need administrative credentials if they click the
Resource Monitor button. The shield icon serves to warn users before
they attempt to access a feature they might not have sufficient
privileges for.
By default, the consent or credential prompt appears on the secure desktop.
The secure desktop freezes and darkens the entire desktop except for
the UAC prompt, making it very difficult for malware to trick you into
providing consent.
The secure desktop actually makes a bitmap copy
of the current screen, and then alpha-blends it to darken it. To prove
that it’s a bitmap copy, open Task Manager, click the Performance tab,
and notice how the CPU Usage History chart updates. Then, attempt to
open Computer Manager. When the UAC prompt appears, Task Manager stops
updating. Task Manager continues to draw the graph in the background,
even though it’s not visible—this will be apparent if you wait a few
seconds and then close the UAC prompt.
|
UAC prompts are color-coded to indicate the level of risk associated with the application:
If the top portion of the dialog is red,
policy will prevent the application from running and users do not have
the option of allowing it to run.
If the top portion is yellow, as shown in Figure 4, the application is unsigned, or it’s signed but the certificate is not trusted.
If
the top portion is green, it indicates that the application is a
component of Windows Vista, such as the Microsoft Management Console
(MMC), as shown earlier in Figure 2.
If the top portion is gray, the application is signed and trusted by the local computer.
When training users, point out the color coding.
Tell them to pay particular attention to yellow prompts, which indicate
an increased risk of the application being malicious.
4. How Windows Vista Determines Whether an Application Needs Administrative Privileges
Windows Vista examines several aspects of an
executable to determine whether it should display a UAC prompt before
running the application:
Application properties Users can select the Run As Administrator check box for executable files.
Application manifest
A description of the application provided by the application developer
which can require Windows Vista to run the program as an administrator.
Application heuristics Aspects of the application that might indicate it requires administrative privileges, such as being named “Setup.exe”.
The sections that follow describe each of these
aspects and show you how to configure applications so that they always
require elevated privileges (which is important if an application does
not work properly without elevated privileges but UAC does not
automatically prompt the user).
How to Control UAC Using Application Properties
If the application does not automatically run
with administrative credentials, you can right-click the application and
then click Run As Administrator. If you deploy an application to users,
however, you should configure the application to automatically prompt
the user if it does not. To mark an application to always run with
administrative credentials, follow these steps:
1. | Log on using administrative credentials, but do not use the built-in Administrator account.
|
2. | Right-click the application, and then click Properties.
|
3. | Click
the Compatibility tab. If you want other users on the same computer to
run the application with administrative privileges, click Show Settings
For All Users.
|
4. | Under Privilege Level, select the Run This Program As An Administrator check box, as shown in Figure 5.
Click OK. If the check box is not available, it means that the
application is blocked from always running elevated, the application
does not require administrative credentials to run, the application is
part of the current version of Windows Vista, or you are not logged into
the computer as an administrator.
|
You only need to mark applications that require
administrative credentials but do not cause UAC to automatically prompt
the user. You cannot set privilege level for Windows components, such
as the command prompt. Instead, you should always right-click them and
click Run This Program As An Administrator.
How UAC Examines the Application Manifest
For applications to receive a Certified For Windows Vista logo, they must include an embedded requested execution level manifest that specifies the privileges required. The privilege level is one of the following:
asInvoker or RunAsInvoker The application runs using the standard user privileges, and will not initiate a UAC prompt.
highestAvailable or RunAsHighest
The application requests privileges higher than standard users and
generates a UAC prompt. However, if the user does not provide additional
credentials, the application will run anyway, using standard
privileges. This is useful for applications that can adjust to either
higher or lower privilege levels, or for applications that might need
more privileges than a standard user, but fewer than a full
administrator. For example, backup applications typically need the user
to be a member of the Backup Operators group, but do not require the
user to be a member of the Administrators group.
requireAdministrator or RunAsAdmin
The application requires administrative privileges, generating a UAC
prompt. The application will not run with standard privileges.
UAC Heuristics
If you run an application setup file, UAC will
prompt you for administrative credentials. This makes sense, because
most installation routines require elevated privileges. However,
installers created before Windows Vista do not include a manifest, so
Windows Vista has to heuristically detect which executables are setup
files.
To do this, Windows Vista examines
32-bit executables without a requested execution level manifest that
would be run with standard privileges. If the executable meets those
requirements and has a file name or metadata that includes keywords such
as install, setup, or update
(or several other indicators that it might be an installer), UAC
prompts for elevated privileges before running the file. If UAC does not
prompt you for administrator credentials for an install, right-click
the setup file and then click Run As Administrator. Without
administrative privileges, most installations will fail.